1 / 16

Web Canary -- client honey pot

Web Canary -- client honey pot. UTSA. Architecture of Web canary. Implementation of Web canary. Test-bed – Dell Precision 690 workstation with Dual-core 3.0 GHz CPU, 8GB memory VM -- 256M memory, 8 GB disk space Host OS – Windows XP x64 sp2 Guest OS – Windows XP sp2

sol
Download Presentation

Web Canary -- client honey pot

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Canary -- client honey pot UTSA

  2. Architecture of Web canary.

  3. Implementation of Web canary. • Test-bed – Dell Precision 690 workstation with Dual-core 3.0 GHz CPU, 8GB memory • VM -- 256M memory, 8 GB disk space • Host OS – Windows XP x64 sp2 • Guest OS – Windows XP sp2 • VM – Vmware Workstation • Browser – IE 6.0 SP2

  4. Guest OS Guest OS – VMware Workstation: isolation, easy reverting. PS -- Persistent Storage (PS) which is a shared folder between the guest OS and the host OS. In the guest OS, only the BHO and Capture Client can write to this folder. Snapshot -- a pristine state, a tool of VMworkstation

  5. Design of Capture client(1) Capture Client: monitor files, processes and registry changes in the Windows OS at kernel level. supports exclusion lists to filter out the normal changes. The Capture client consists of two components: The kernel drivers operate in kernel space and use event-based detection mechanisms for monitoring the system's state changes. The user space process captures the state changes from the kernel drivers and filters the events based on the exclusion lists

  6. Design of Capture client(2) Exclusion lists Since some events occur during normal operation, exclusion lists allow to ignore certain type of events. Kernel Drivers kernel drivers to monitor the system by using the existing kernel callback mechanism of the kernel that notifies registered drivers when a certain event happens. These callbacks invoke functions inside of a kernel driver and pass the actual event information so that it can be monitored.

  7. Design of Capture client(3) CmRegistryCallback PsSetCreateProcessNotifyRoutine FilterLoad, FltRegisterFilter(filtering I/O operations) e.g. A driver calls CmRegisterCallbackto register a RegistryCallbackroutine. by passing a user allocated buffer from user space into kernel space where the kernel drivers, we can copy information into that buffer, so the application can process it in user space.

  8. BHO BHO -- A Browser Helper Object (BHO) which can capture all the URLs visited by IE. It then writes the URLs to a log the in PS(Permanent storage). They create a browser add-on to capture the URLs requests made by the browser.

  9. Canary Server Canary Server -- shows the health state of the guest OS and can start, stop or revert the VM. send the detected malicious URLs to a remote central server with user's permission. Controls the VMware servers using the VMware C API Auto-reversion -- auto-reversion of the VM to its pristine state upon the detection of unauthorized events. Host OS

  10. Analysis Engine Analysis Engine – reads the log files of the BHO and Capture Client and correlates system changes to the URL according the rule. Rules -- Upon receiving system change events and visited URLs, correlate them together according to the time interval. Host OS

  11. Conclusion Present a system that can leverage a large, distributed network of users, who simply by using a standard Web browser, silently collaborate to detect and report malicious Web pages. The advantages of this method are that it can get meaningful URLs from users and easily visit Web pages that require CAPTCHAs or pass- words.

  12. Appendix 1 Windows Driver Kit: Kernel-Mode Driver Architecture PsSetCreateProcessNotifyRoutine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted. CmRegisterCallback The CmRegisterCallback routine registers a RegistryCallback routine.

  13. Appendix 2 • Windows Driver Kit: Installable File System Drivers FltRegisterFilter FltRegisterFilter registers a minifilter driver. • FilterLoad • The FilterLoad function dynamically loads a minifilter driver into the system.

  14. Appendix 3 • Boost::regex library Use it to describe the filer rule (RE).

  15. Questions The method that correlating URL to malicious Web pages according to time interval seems not always right. 2. Try to distribute the browser running on VM is not quite impractical. 3. The idea of real distributed users is good. But how to protect the server which used for collecting various users’ information. The server is the most vulnerable unit in the whole system. And if attacker use the client to send a lot of benign URL as a malicious URL to server, How to distinguish them?

  16. Thank you!

More Related